We were happy to recommend it, as a college. It has some basic failsafes in such as declaring self-signed certificates as invalid, and not storing your login details in the app (it creates a token).
And it's developed by moodle HQ, who aren't going to monkey around when it comes to security. Juan (chief developer) can probably chime in with more technical justification.
the app is widely used by institutions around the world and we've never received any complaint about security.
The app doesn't store the user credentials, it uses a token that is generated the first time the user access (the token is valid for 3 months).
Mobile services are only enabled by default in sites using https.
We only allow certain features (like auto-login from the app to the site) via https and under certain security restrictions (using a special secured token created the first time a user access).
The Mobile service only exposes a subset of the Moodle features (for example, no admin web services are enabled in the mobile service).
As long as you site uses https, it will be very safe to use the mobile app (but that also applies to websites, https is mandatory these days)
Thank you Juan.
I've noticed that after making the changes suggested in the install guide,
- Go to Site administration > Users > Permissions > Define roles, edit the Authenticated user role and allow the capability moodle/webservice:createtoken.
that Moodle's own security report marks the 'Default role for all users' as being critically insecure.
Additionally when you do that step it sets off every internal warning regarding security risks.
what Moodle version are you using?
If I remember well, this security check was removed recently in 3.2